[Snort-users] RE: 55808 window size [WAS: (no subject)]

Frank Knobbe fknobbe at ...652...
Tue Jun 24 16:23:01 EDT 2003

On Tue, 2003-06-24 at 16:11, Coyle, Brian wrote:
> As of this morning, I've now seen a couple of false positives from this rule.
> Occasionally, a source with legit traffic[1] will start with a window size of 
> 55808.  Snort triggers on the 55808/SYN packet, but subsequent packets have 
> a reduced window size.  The IP Seq. numbers will also vary as expected for 
> regular traffic.

Other normal traffic has odd Window sizes as well (58400, 63999, 65217,
56940, 17207, 58204, 24616, etc). Why everyone is chasing 55808 is
beyond me. Yeah, it was/is the common thing with some of these scans,
but everyone is using that Window size _by_itself_ as some kind of
identifier (i.e. Snort rule). That's absurd. .... Oh well, don't get me
started on some of these so-called "security researchers" (or
market-droids).... sometimes I wonder if they not "find" exploits in
their own marketing department...

Joe Stewart said in an Incidents post "Probably someone's idea of a joke
on the infosec community." 

That "trojan" may not have been a joke, but the way some people made use
of the situation surely is a joke.

"Move on, nothing to see here." comes to mind...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030624/9743256c/attachment.sig>

More information about the Snort-users mailing list